Beruflich Dokumente
Kultur Dokumente
I want to share my investigation of how can you configure a VPN for multi tenant and finish the VPN into a VRF
of you Customer in two site for redundancy with IP SLA.
If you are not familiarise with the VRF Aware Ipsec concept look this Topic it can help use to understand.
VRF-AWARE IPsec
You Can follow the phase one juste here (Phase1)
MultiSite Redundancy
HSRP & DHCP in VRF
You Can follow the phase two juste here (Phase3)
Cisco
VRF-Aware Ipsec Cisco
VRF-Aware Ipsec Cisco 2
VRF-Aware Ipsec Cisco PDF
Topic
Generated on 2016-04-23-07:00
1
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
First Senario Two Customer is connected to a DC1 and DC2 VPN acsess for redundancy (Phase2)
Topology
The Goal of this Second phase is to simule two vpn client connection to two different DC to a single device.
These customer have the same block of IP int the locale and a remote site and need for this reason to made
VRF-Aware Ipsec.
!! Note the clients need to have two separate environnement !!
To bring up the magic in this case we need to benefited of IKE Profil with Keyring and VRF and also IP SLA
LAB (Phase2)
In this lab we are setup the two VPNs to the CX Routeur and KK Routeur I start the vpn from the from the
customer to CX after that I simulate a failure link and we can show the second link goes UP (I Hope).
Generated on 2016-04-23-07:00
2
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
3
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
tran in ssh
!
Generated on 2016-04-23-07:00
4
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
5
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
6
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
7
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
8
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
9
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
10
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
11
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
CX-ASR ACL Cust-1 for Crypto Map Phase 2 configuration (Intersting Traffic)
ip access-list extended cust-1
!
permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
!
Generated on 2016-04-23-07:00
12
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
CX-ASR ACL Cust-2 for Crypto Map Phase 2 configuration (Intersting Traffic)
ip access-list extended cust-2
!
permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
!
Generated on 2016-04-23-07:00
13
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
CX-ASR Exclu NAT To the VPN traffic and Allow Other Traffic to be Nating configuration (For VPN
Traffic)
access-list
!
access-list
!
access-list
!
access-list
!
100 remark -=[Define NAT Service]=100 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
100 permit ip 192.168.20.0 0.0.0.255 any
100 remark
CX-ASR Route for VRF Cust1 (Default Route) !! Note more Specific route can be set up !!
ip route vrf cust1-vrf 0.0.0.0 0.0.0.0 FastEthernet 0/0 85.147.160.1
!
Generated on 2016-04-23-07:00
14
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
CX-ASR Route for VRF Cust2 (Default Route) !! Note more Specific route can be set up !!
ip route vrf cust2-vrf 0.0.0.0 0.0.0.0 FastEthernet 0/0 85.147.160.1
!
Generated on 2016-04-23-07:00
15
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
CX-ASR ToubleShooting
CX-ASR Show Commande (General view)
sho ip int b
!
sho run
!
Generated on 2016-04-23-07:00
16
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
ip vrf
ip vrf outside-vrf
ip vrf cust1-vrf
ip vrf cust2-vrf
ip route vrf outside-vrf
ip route vrf cust1-vrf
ip route vrf cust2-vrf
cry ipsec
cry isakmp
ip icmp
ip nat
Generated on 2016-04-23-07:00
17
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
KK-ASR Configuration
KK-ASR Basic configuration
enable
!
Conf t
!
hostn KK-ASR
!
no ip domain-lo
!
ip domain-name yourdomain.com
!
usern cisco priv 15 sec cisco
!
Generated on 2016-04-23-07:00
18
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
19
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
20
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
21
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
22
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
no shut
!
descr Lan interface Cust-2
!
Generated on 2016-04-23-07:00
23
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
24
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
!
vrf cust1-vrf
!
keyring cust1-keyring
!
match identity address 104.57.98.10 255.255.255.240 outside-vrf
!
Generated on 2016-04-23-07:00
25
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
26
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
27
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
KK-ASR ACL Cust-1 for Crypto Map Phase 2 configuration (Intersting Traffic)
ip access-list extended cust-1
!
permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
!
KK-ASR ACL Cust-2 for Crypto Map Phase 2 configuration (Intersting Traffic)
ip access-list extended cust-2
!
permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
!
Generated on 2016-04-23-07:00
28
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
KK-ASR Exclu NAT To the VPN traffic and Allow Other Traffic to be Nating configuration (For VPN
Traffic)
access-list
!
access-list
!
access-list
!
access-list
!
100 remark -=[Define NAT Service]=100 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
100 permit ip 192.168.20.0 0.0.0.255 any
100 remark
Generated on 2016-04-23-07:00
29
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
KK-ASR Route for VRF Cust1 (Default Route) !! Note more Specific route can be set up !!
ip route vrf cust1-vrf 0.0.0.0 0.0.0.0 FastEthernet 0/0 104.57.98.1
!
KK-ASR Route for VRF Cust2 (Default Route) !! Note more Specific route can be set up !!
ip route vrf cust2-vrf 0.0.0.0 0.0.0.0 FastEthernet 0/0 104.57.98.1
!
Generated on 2016-04-23-07:00
30
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
KK-ASR ToubleShooting
KK-ASR Show Commande (General view)
sho ip int b
!
sho run
!
Generated on 2016-04-23-07:00
31
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
!
sho
!
sho
!
sho
!
sho
!
sho
!
ip vrf
ip vrf outside-vrf
ip vrf cust1-vrf
ip vrf cust2-vrf
ip route vrf outside-vrf
ip route vrf cust1-vrf
ip route vrf cust2-vrf
Generated on 2016-04-23-07:00
32
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
cry ipsec
cry isakmp
ip icmp
ip nat
Now we have finish with the two site the diffrence is made for now in the client customer site.
Cust1 Configuration
Cust1 Basic configuration
enable
!
Conf t
!
hostn Cust1
!
Generated on 2016-04-23-07:00
33
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
no ip domain-lo
!
ip domain-name yourdomain.com
!
usern cisco priv 15 sec cisco
!
Generated on 2016-04-23-07:00
34
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
35
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
We can use the sub interface for that and tagging the frame (optional)
Cust1 WAN 2 Interfaces configuration (Optional)
inte fa0/0.1
!
encapsulation dot1Q 999
!
ip address 104.57.98.10 255.255.255.240
!
no shut
!
descr WAN interface
!
Generated on 2016-04-23-07:00
36
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
We are going to track the state of the distant site parameter of the node with the ping commande and if we
don't have a answer we can made a action for that in your case we add a route or delete the route depend on
the results.
Cust1 IP SLA for WAN Interfaces configuration
ip sla monitor 10
!
type echo protocol ipIcmpEcho 85.147.160.1 source-interface FastEthernet0/0
!
frequency 5
!
ip sla monitor schedule 10 life forever start-time now
!
track 1 rtr 10 reachability
!
Generated on 2016-04-23-07:00
37
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
38
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
39
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
40
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Cust1 Apply to interface Crypto Map Phase 2 configuration for WAN Site A CX-ASR
int fa0/0
!
crypto map ipsec-maps
!
Cust1 Apply to interface Crypto Map Phase 2 configuration for WAN 2 Site B KK-ASR
int fa3/0
!
crypto map ipsec-maps-outside2
!
Cust1 ACL Cust-1 for Crypto Map Phase 2 configuration (Intersting Traffic) We Use the same ACL
because is the same traffic but you can made two ACL if you Want
ip access-list extended cust-1
!
permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
Generated on 2016-04-23-07:00
41
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Cust1 NAT Overload configuration (Wan Traffic) For WAN Site A CX-ASR
ip nat inside source list 100 interface fastethernet0/0 overload
!
Cust1 NAT Overload configuration (Wan Traffic) For WAN 2 Site B KK-ASR
ip nat inside source list 150 interface fastethernet3/0 overload
!
Generated on 2016-04-23-07:00
42
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Cust1 Exclu NAT To the VPN traffic and Allow Other Traffic to be Nating configuration (For VPN Traffic)
Ise Used for WAN Site A CX-ASR
access-list
!
access-list
!
access-list
!
access-list
!
100 remark -=[Define NAT Service]=100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
100 permit ip 192.168.10.0 0.0.0.255 any
100 remark
Cust1 Exclu NAT To the VPN traffic and Allow Other Traffic to be Nating configuration (For VPN Traffic)
Ise Used for WAN 2 Site B KK-ASR
ip nat inside source list 150 interface fastethernet3/0 overload
!
access-list 150 remark -=[Define NAT Service]=!
access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
!
access-list 150 permit ip 192.168.10.0 0.0.0.255 any
!
access-list 150 remark
!
Generated on 2016-04-23-07:00
43
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Cust1 Route (Default Route) for WAN Site A CX-ASR is Add with Track Object !! Note more Specific
route can be set up !!
ip route 192.168.20.0 255.255.255.0 85.147.160.1 track 1
!
Cust1 Route (Default Route) for WAN 2 Site B KK-ASR is Add with Track Object !! Note more Specific
route can be set up !!
ip route 192.168.20.0 255.255.255.0 104.57.98.1 254 track 2
!
Generated on 2016-04-23-07:00
44
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Cust1 ToubleShooting
Cust1 Show Commande (General view)
sho ip int b
!
sho run
!
Generated on 2016-04-23-07:00
45
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
cry ipsec
cry isakmp
ip icmp
ip nat
Generated on 2016-04-23-07:00
46
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Cust2 Configuration
Cust2 Basic configuration
enable
!
Conf t
!
hostn Cust2
!
no ip domain-lo
!
ip domain-name yourdomain.com
!
usern cisco priv 15 sec cisco
!
Generated on 2016-04-23-07:00
47
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
1024
!
line con 0
!
loggi syn
!
exec-t 25
!
line vty 0 15
!
login local
!
tran in ssh
Generated on 2016-04-23-07:00
48
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
We can use the sub interface for that and tagging the frame (optional)
Cust2 WAN 2 Interfaces configuration (Optional)
inte fa0/0.1
!
encapsulation dot1Q 999
!
ip address 104.57.98.11 255.255.255.240
!
no shut
!
descr WAN interface
!
Generated on 2016-04-23-07:00
49
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
We are going to track the state of the distant site parameter of the node with the ping commande and if we
don't have a answer we can made a action for that in your case we add a route or delete the route depend on
the results.
Cust2 IP SLA for WAN Interfaces configuration
ip sla monitor 10
!
type echo protocol ipIcmpEcho 85.147.160.1 source-interface FastEthernet0/0
!
frequency 5
!
ip sla monitor schedule 10 life forever start-time now
!
track 1 rtr 10 reachability
!
Generated on 2016-04-23-07:00
50
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
51
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
52
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
53
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Cust2 ACL Cust-1 for Crypto Map Phase 2 configuration (Intersting Traffic)
ip access-list extended cust-2
!
permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
!
Generated on 2016-04-23-07:00
54
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Cust2 Apply to interface Crypto Map Phase 2 configuration for WAN 2 Site B KK-ASR
int fa3/0
!
crypto map ipsec-maps-outside2
!
Cust2 ACL Cust-2 for Crypto Map Phase 2 configuration (Intersting Traffic) We Use the same ACL
because is the same traffic but you can made two ACL if you Want
ip access-list extended cust-1
!
permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
!
Generated on 2016-04-23-07:00
55
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Cust2 NAT Overload configuration (Wan Traffic) For WAN 2 Site B KK-ASR
ip nat inside source list 150 interface fastethernet3/0 overload
!
Cust2 Exclu NAT To the VPN traffic and Allow Other Traffic to be Nating configuration (For VPN Traffic)
access-list
!
access-list
!
access-list
!
access-list
!
100 remark -=[Define NAT Service]=100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
100 permit ip 192.168.10.0 0.0.0.255 any
100 remark
Generated on 2016-04-23-07:00
56
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Cust2 Exclu NAT To the VPN traffic and Allow Other Traffic to be Nating configuration (For VPN Traffic)
Ise Used for WAN 2 Site B KK-ASR
ip nat inside source list 150 interface fastethernet3/0 overload
!
access-list 150 remark -=[Define NAT Service]=!
access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
!
access-list 150 permit ip 192.168.10.0 0.0.0.255 any
!
access-list 150 remark
!
Cust2 Route (Default Route) for WAN Site A CX-ASR is Add with Track Object !! Note more Specific
route can be set up !!
ip route 192.168.20.0 255.255.255.0 85.147.160.1 track 1
!
Cust2 Route (Default Route) for WAN 2 Site B KK-ASR is Add with Track Object !! Note more Specific
route can be set up !!
ip route 192.168.20.0 255.255.255.0 104.57.98.1 254 track 2
!
Generated on 2016-04-23-07:00
57
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Cust2 ToubleShooting
Cust2 Show Commande (General view)
sho ip int b
!
sho run
!
Generated on 2016-04-23-07:00
58
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
59
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
cry ipsec
cry isakmp
ip icmp
ip nat
Generated on 2016-04-23-07:00
60
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
I initiate the connectivity from Cust1 to the CX-ASR Router Is the Primary Site whith the Wan Link 1 you can
show and the screen the two VPNs is down in the beginning
Generated on 2016-04-23-07:00
61
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Now you can see the ICMP reply from CX-ASR and the VPNs status is UP for Cust1
Generated on 2016-04-23-07:00
62
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Now if you go in the Route table of Cust1 you can see the route is the CX-ASR for reach the subnet
192.168.20.0/24
Now I'm going to simule a failure in the CX-ASR routeur and I'm going to Ping in continue ans see what
happened to traffic.
Generated on 2016-04-23-07:00
63
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Here you are we have now in the first ping in Site A number 1 you can see the first packet is drop du to the
ARP Table and the VPN is Down for CX-ASR
After that the VPN goes UP and you can see the ping is respond and when I shutdown the Link of The Site A
the you have a small delay.
This delay is the time I have configured the IP SLA Traking and the insertion in routing table of the new IP and
the delay of the VPN and the first ARP.
After that the Subnet is still Responding but not in the same Site because now if I show you the screen of the
new IP route the route is changed and the weigh is 254.
Generated on 2016-04-23-07:00
64
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Now if i see the Crypto session the two VPNs is UP and if i switch.
Generated on 2016-04-23-07:00
65
VPN - VRF-aware ipsec cheat sheet (MultiSite Redundancy) Real World - Part2
Generated on 2016-04-23-07:00
66